Hilton Worldwide recently announced that it had discovered and removed malware designed to steal payment card information from restaurants, gift shops and other point-of-sale systems at some of its hotels.
Working with third-party forensics experts, law enforcement and payment card companies, Hilton says it determined that the malware specifically targeted cardholder names, payment card numbers, security codes and expiration dates. No addresses or PINs were accessed.
“You have my personal assurance that we take this matter very seriously, and we immediately launched an investigation and further strengthened our systems,” Hilton executive vice president for global brands Jim Holthouser wrote in a letter to customers. “However, as a precautionary measure, some of you may wish to review payment card statements during certain time periods.”
All customers who used a payment card at a Hilton Worldwide hotel between November 18 and December 5, 2014, or between April 21 and July 27, 2015, are advised to review and monitor their card statements, and to contact their financial institutions regarding any irregular activity.
“Based on discussions with industry experts, compromised credit card information alone generally is not used to open new lines of credit or steal a person’s identity,” Hilton stated in a FAQ. “However, it never hurts to check your credit report.”
All those affected are being offered one year of free access to credit monitoring services from AllClear ID.
Investigative reporter Brian Krebs had warned two months ago of a possible credit card breach at Hilton Worldwide.
Mark Bower, global director of product management for enterprise data security at HPE Security, told eSecurity Planet by email that the Hilton payment card breach, along with last week’s Starwood breach, clearly demonstrates that hospitality service providers, like retailers, are facing enormous challenges with point-of-sale security. “GammaPOS, Abaddon, Dexter, the newly discovered ModPOS and other retail malware are designed to steal clear data in memory from POS applications, resulting in the loss of magstripe data, EMV card data or other sensitive data exposed at the point of sale,” he said.
Still, Bower said, any business using a POS system can minimize the impact of these types of attacks. “Proven methods are available to neutralize data from breaches either at the card reader, at the point of sale, in person or online,” he said. “Leading retailers and payment processors have adopted these data-centric security techniques with huge positive benefits: reduced exposure of live data from the reach of advanced malware during an attack, and reduced impact of increasingly aggressive PCI DSS 3.1 compliance enforcement laws, laws aimed at making data security a ‘business as usual’ matter for any organization handling card payment data.”
And Tripwire CTO Dwayne Melancon said upcoming holiday travel and vacations mean that cyber criminals will inevitably be targeting many travel-related businesses, including hotel chains. “If they haven’t done so already, hotel chains should assess their networks to isolate their POS devices as much as possible from non-payment portions of their networks,” he said. “Additionally, it is vital that any business who relies on point-of-sale technology use a security system that can continuously monitor their systems to understand what a normal configuration looks like, so any suspicious changes to the point-of-sale system can be detected immediately and dealt with before a loss occurs.”
A recent eSecurity Planet article examined the challenge of improving POS security.